Thursday, 27 March 2025

Azure MFA NPS Extension Configuration Failure Due to Microsoft Graph PowerShell Module Conflicts

Introduction

When configuring the Azure MFA NPS Extension using the official script (AzureMfaNpsExtnConfigSetup.ps1), administrators may encounter a failure during the update of the Azure Active Directory service principal. The script attempts to push certificate data using the Microsoft Graph PowerShell SDK, and the process fails with the following error: 

Update-MgServicePrincipal : Cannot convert the literal '<cert_blob>' to the expected type 'Edm.Binary'.
Status: 400 (BadRequest)

This issue typically occurs due to multiple versions or conflicting installations of the Microsoft Graph PowerShell modules, which can lead to serialization or data formatting errors during API operations.

This KB provides a tested remediation process by removing all existing Graph modules and reinstalling the required components cleanly.

Instructions

✅ Step 1 – Manually Uninstall All Microsoft.Graph Modules

Open PowerShell as Administrator and run the following script to uninstall all installed versions of any Microsoft.Graph modules:

$Modules = Get-Module Microsoft.Graph* -ListAvailable | Where {$_.Name -ne "Microsoft.Graph.Authentication"} | Select-Object Name -Unique
Foreach ($Module in $Modules)
{
    $ModuleName = $Module.Name
    $Versions = Get-Module $ModuleName -ListAvailable
    Foreach ($Version in $Versions)
    {
        $ModuleVersion = $Version.Version
        Write-Host "Uninstall-Module $ModuleName $ModuleVersion"
        Uninstall-Module $ModuleName -RequiredVersion $ModuleVersion
    }
}

# Uninstall Microsoft.Graph.Authentication
$ModuleName = "Microsoft.Graph.Authentication"
$Versions = Get-Module $ModuleName -ListAvailable
Foreach ($Version in $Versions)
{
    $ModuleVersion = $Version.Version
    Write-Host "Uninstall-Module $ModuleName $ModuleVersion"
    Uninstall-Module $ModuleName -RequiredVersion $ModuleVersion
}

After the script completes, manually rerun it until this command returns no results: 

Get-InstalledModule | Where-Object { $_.Name -like "Microsoft.Graph*" }

📝 Note: Some modules may be reloaded or may not uninstall cleanly on the first attempt, especially if there are versioning or dependency overlaps. Repeating the uninstall step ensures a clean removal.

✅ Step 2 – Install Required Microsoft Graph Modules

Once all previous versions are removed, install only the latest required modules:

Install-Module Microsoft.Graph

✅ Step 3 – Rerun the Configuration Script

With a clean module set installed, rerun the configuration script:

C:\Program Files\Microsoft\AzureMfa\Config\AzureMfaNpsExtnConfigSetup.ps1

The script should now complete successfully, allowing Azure MFA to integrate with the NPS service and Remote Desktop Gateway.

Additional Notes

This issue has been independently reported in the sysadmin community and is reproducible in environments where Microsoft Graph modules are upgraded over time without cleanup.

No interference was found from Microsoft Defender in typical environments, though exclusions may still be useful in some configurations.

at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)